Security is a fundamental part of our business. The functionality of our product relies on our users sharing very personal financial information with us so that we can perform trade calculations on their behalf. The purpose of this document is to describe our approach to protecting personal data and securing our systems.
A functioning Passiv account relies on having a live access token to interact with your investment account. Users grant Passiv limited access to their brokerage account so that we can see your investment accounts, account holdings, and transaction history. The access we request is limited to read-only account data, so we cannot place or modify trades on your behalf.
This access is granted through a secure OAuth flow. The process works as follows:
Passiv periodically accesses information from your investment account in order to:
Additionally, when you access your Passiv account, we make live requests for information from your investment account in order to let you see real-time information about your account and calculated trades.
Passiv stores very limited personal data from your investment account. The only information that we store is basic account information, which is a list of all your investment accounts and identifiers associated with them. This is important for us to store so that we can associate a target portfolio with each investment account. We do not store more detailed account information, including your current holdings, open trades, or account equity. While Passiv does access detailed information from your investment account, the data is passed directly to the interface and not persistently cached or stored in any way.
Besides basic account information, Passiv stores account transaction history in a secure form that allows us to detect new transactions without knowing the details of old ones. This works by hashing each transaction and storing only the hash, which serves as a record that we have previously seen any transaction which produces the same hash. As with other personal data, no part of the raw transaction data is persistently stored or cached.
Passiv runs its software on a private dedicated server in a major datacentre. Our server is hosted in Canada, so everything falls under the jurisdiction of the Canadian legal system. We limit server access to only key employees who need access to production resources. The server is frequently screened for vulnerabilities and patched where appropriate. Standard security practices such as a firewall and SSH keys are used to limit access and reduce attack surface. All networked services running on the server are locally bound and password protected where possible. Database backups are made frequently and strongly encrypted before uploading to a secure remote location.
Moving forward, we are working on implementing at-rest encryption for database assets and a robust key management system.
We won't waste your time with vapid content and we won't share your email address with anyone. Sign up here and we'll let you know each time we post something new.
To build your portfolio, you need to choose securities and what proportion of your funds to invest in each. You can add as many securities as you wish and allocate as little as 1% of your funds to each.
Start by searching for a security by name or trading symbol. Once you've found the security you want, adjust the slider by adding a percentage of your funds to the security.
The number of units to hold will be automatically calculated and presented to you once you have selected all your securities and assigned 100% of your funds.